Why you want labels for software, just like for food
Even more, possibly.
Do you know what a SBOM is? No? You should! To help you, here is my own synthesis, as simple as possible, of a much geekier post about a very geeky concept that, in an age where so much depends on how software is used AROUND you, becomes every year more important for everybody.
What Is Exactly an SBOM?
An SBOM is the digital equivalent for software of a food label, or of the packing slips attached to the sides of parcels.
Those labels and slips tell where the food or parcel came from, who packaged it and when, together with serial numbers and other tracking data, and of course a list of what is insides.
SBOMs let consumers and developers to do the same with software components plus a lot more.
An SBOM, for example, informs all the “consumers” of some software about what they can legally do with it (modify,resell and so on). Even more important is the fact that an SBOM allows automatic verification of all the information it contains, as well as checking if some software has known security vulnerabilities in any of its components.
The Two SBOM Standards
Most projects that produce and/or process SBOMs today will do so in one of two standards: CycloneDX and SPDX. Their differences, and how they interoperate are a matter for software students and professionals, so I won’t cover them here. The only concept I want to share, and that every responsible citizen should know, is that:
- SBOM standards “give the world a better introspection into software releases”
- that “introspection” is absolutely vital for the correct operation of every service that uses software
- and since the definition above includes pretty much the whole human society, we all better demand wide, complete adoption of SBOMs for all software, with both our wallets and our votes